The Perfect Substitution

 Use many alphabets to produce a perfectly flat distribution with no recognizable pattern for the choice of any alphabet at any given point.  Suppose the Vigenère Tableau were extended infinitely with a random  Would defy the Kasiski Method. Any repeat encryptions would be purely coincidental  IC = 0.038 suggesting a totally random encryption. Network & Information Security Prof. Shawkat K. Guirguis 1 One-time Pads

 Called the perfect cipher because it uses an arbitrarily long encryption key  Sender and receiver are provided a book of keys and encryption tableaus. If each key has length = 20, then a 300 letter message would require 15 keys pasted adjacently. After encryption and subsequent decryption, both sender and receiver destroy the keys.  No key is ever used twice.

Network & Information Security Prof. Shawkat K. Guirguis 2 Problems with One-time Pads

 Requires absolute synchronization between sender and receiver

 Need exists for an unlimited number of keys

 Publishing, distributing and securing keys is a major problem - an administrative burden Network & Information Security Prof. Shawkat K. Guirguis 3 Use Of Random Numbers

 Approximates one-time pads  computer generated random numbers must be scaled to the interval [0, 25]  Requires complete synchronization between sender and receiver  RN Generators are not truly random, and given enough , they can be broken

Network & Information Security Prof. Shawkat K. Guirguis 4 INFINITE KEYS Using Long RN Sequences

 RANDNOi+1 = c  RANDNOi + b mod w

where w is a large integer, typically 2x

 Short messages are generally pretty secure; long messages are vulnerable to probable word attacks

Network & Information Security Prof. Shawkat K. Guirguis 5 The Vernam Cipher

 The Vernam cipher is a type of one-time pad devised by Gilbert Vernam for AT&T.

 The Vernam cipher is immune to most cryptanalytic attacks.

 The basic encryption involves an arbitrarily long nonrepeating sequence of numbers that are combined with the plaintext.

 Vernam's invention used an arbitrarily long punched paper tape that fed into a teletype machine.

 The tape contained random numbers that were combined with characters typed into the teletype.

 The sequence of random numbers was non-repeating, and each tape was used only once.

Network & Information Security Prof. Shawkat K. Guirguis 6 The Vernam Cipher (cont.)

 As long as the key tape does not repeat or is not reused, this type of cipher is immune to cryptanalytic attack because the available ciphertext does not display the pattern of the key.

 A model of this process is shown in next Figure 2-7.

Network & Information Security Prof. Shawkat K. Guirguis 7 Vernam Model

Long Random Number Sequence

Original Plaintext Ciphertext Plaintext  

Encryption Decryption

 denotes an XOR or other combining function

Network & Information Security Prof. Shawkat K. Guirguis 8 Example:

 We will perform a Vernam encryption in decimal notation.  Assume that the alphabetic letters are combined by sum mod 26 with a stream of random two-digit numbers.  If the message is VERNAM CIPHER

 the letters would first be converted to their numeric equivalents, as shown here:

V E R N A M C I P H E R 21 4 17 13 0 12 2 8 15 7 4 17 Network & Information Security Prof. Shawkat K. Guirguis 9 Example: (cont.)  Next we need some random numbers to combine with the letter codes.  Suppose the following series of random two-digit numbers is generated. 76 48 16 82 44 03 58 11 60 05 48 88

 The encoded form of the message is the sum mod 26 of each coded letter with the corresponding random number.

 The result is then encoded in the usual base-26 alphabet representation.

Network & Information Security Prof. Shawkat K. Guirguis 10 Vernam Example

plaintext V E R N A M C I P H E R numeric equivalent 21 4 17 13 0 12 2 8 15 7 4 17 + random number 76 48 16 82 44 3 58 11 60 5 48 88 = sum 97 52 33 95 44 15 60 19 75 12 52 105  mod 26 19 0 7 17 18 15 8 19 23 12 0 1 ciphertext t a h r s p i t x m a b

Network & Information Security Prof. Shawkat K. Guirguis 11 Example: (cont.)

 In this example, the repeated random number 48 happened to fall at the places of repeated letters, accounting for the repeated ciphertext letter a; such a repetition is highly unlikely.

 The repeated letter t comes from different plaintext letters, a much more likely occurrence.

 Duplicate ciphertext letters are generally unrelated with this encryption algorithm.

Network & Information Security Prof. Shawkat K. Guirguis 12 The Binary Vernam Cipher

 This scheme works just as well with an "alphabet" of any other base.

 In order to encrypt a binary string (perhaps a series of words of binary data), random binary digits can be combined mod 2 with from the binary string.

 The result is another binary string .

Network & Information Security Prof. Shawkat K. Guirguis 13 The Binary Vernam Cipher (cont.)

For example, the binary number 101101100101011100101101011100101 can be encoded with the random binary stream 101111011110110101100100100110001 to produce the following ciphertext. 000010111011101001001001111010100

 Binary addition mod 2 can be calculated by the "exclusive-or" function, which is addition without carry.

 Exclusive or is often supplied as a basic machine instruction on computers, making it easier to implement this algorithm.

 Adding 0 produces no change, whereas adding 1 "complements" or reverses a .

Network & Information Security Prof. Shawkat K. Guirguis 14 Example

Encrypt the word “ABC” with the key “tom” using binary vernam cipher?

Network & Information Security Prof. Shawkat K. Guirguis 15 Characteristics of RNGs  Many encryption algorithms rely on random numbers  RNGs produce long period sequences but the cycle eventually repeats  The linear congruential RNG is the most common type - requires a seed value NEW_RANDNO := (A*OLD_RANDNO + B) mod N

A, B and N are constants; seed number and N must be prime relative to N Network & Information Security Prof. Shawkat K. Guirguis 16 Cracking Random Number Generators

 Notice that many encryption algorithms, like the Vernam cipher, incorporate random numbers.

 The safety of the encryption depends on the randomness of the numbers used.

 A random sequence for a Vernam cipher has to be truly random, meaning without any discernible pattern.

 For example, the binary string 01010101 has the obvious pattern of alternating 0s and 1s. Such a string would make a very bad choice for a random stream because of the discernible pattern. Network & Information Security Prof. Shawkat K. Guirguis 17 Cracking Random Number Generators (cont.)

 Where can we get truly random numbers, especially in a form easy to use with computers?

 The two-digit decimal numbers used in the Vernam cipher example are middle digits from a list of phone numbers in a residential directory.

 As such, they would be expected to be free from patterns. (There may still be some non-uniformity because many easy-to remember sequences, such as ddd-d000, ddd-1234, or ddd- 1212, are assigned to businesses.

 Exploiting that non-uniformity would require the interceptor to acquire and analyze great amounts of ciphertext.)

 A telephone directory is rather limited as a source of random numbers, and the numbers may not be available in a machine- readable format. Network & Information Security Prof. Shawkat K. Guirguis 18 Cracking Random Number Generators (cont.)  A more common source of random numbers is a pseudo-random number generator computer program.

 Contrary to their name, these programs generate numbers from a predictable, repeating sequence.

 The most common type, the linear congruential random number generator, begins with an initial

value or "seed," ro. Each successive random number ri+1 is generated by

ri+1 = (a * ri + b) mod n where a, b, and n are constants. Network & Information Security Prof. Shawkat K. Guirguis 19 Cracking Random Number Generators (cont.)

 Often, n is chosen as 1 more than the maximum number that can be stored in a computer word, so that this computation can be performed by discarding any portion of the intermediate result that exceeds storage.

 This generator produces random integers between 0 and n - 1. (See [KNU81] for a thorough study of random number generators.)

 If ro and a are relatively prime to n, each number between 0 and n - 1 will be generated before the sequence repeats.

 But once the repetition begins, the entire sequence repeats in order.

Network & Information Security Prof. Shawkat K. Guirguis 20 Cracking Random Number Generators (cont.)

 The problem with this form of random number generator is its dependability.  Because each number depends only on the previous number, you can determine constants by solving a series of equations.

r1 = a*r0 + b mod n

r2 = a*r1 + b mod n

r3 = a*r2 + b mod n

 An interceptor who has r0, r1, r2 and r3 can Network &solve Information for a, b, and n. Security Prof. Shawkat K. Guirguis 21 Cracking Random Number Generators (cont.)

 An interceptor can get r0, r1, r2 and r3 by a probable word attack. (See Next Slide)  With a Vernam cipher, each ciphertext letter

comes from the formula: ci = ri + pi mod 26.  If an interceptor of the ciphertext guesses that the message starts with MEMO (M = 12, E = 4, O = 14), the interceptor can try to

substitute probable values of Pi and solve for values of ri.

Network & Information Security Prof. Shawkat K. Guirguis 22 Probable Word Attacks

 Given the structure of the linear congruential RNG, assume the first few ciphertext characters represent some likely word such as ‘MEMO,’ ‘DATE’ or ‘FROM’

 Inserting the numeric equivalents for the plaintext probable words, a system of simultaneous equations can be developed and solved

Network & Information Security Prof. Shawkat K. Guirguis 23 Cracking Random Number Generators (cont.)

r0 = c0 – 12 mod 26 r1 = c1 – 4 mod 26 r2 = c2 – 12 mod 26 r3 = c3 – 14 mod 26

 With these values of r0 to r3, the interceptor may be able to solve the three equations for a, b, and n.

 Given those, the interceptor can generate the full sequence of random numbers and obtain plaintext directly.

Network & Information Security Prof. Shawkat K. Guirguis 24 CRYPTOANALYTIC TOOLS FOR SUBSTITUTION

 Frequency distribution

 Index of coincidence

 Consideration of highly likely letters and probable words

 Pattern analysis and Kasiski approach

 Persistence, organization, ingenuity, and luck

Network & Information Security Prof. Shawkat K. Guirguis 25